Man-machine interface for controlling access to electronic devices

ABSTRACT

This application relates to devices, methods and computer readable media that allow users using a first device to be easily authenticated. For example, while the first device is proximate to a second device, the first device requests user authentication using the one or more biometric sensors. After requesting the user authentication, the first device detects biometric information associated with the user with the one or more biometric sensors. In response to detecting the biometric information associated with the user, in accordance with a determination that the detected biometric information associated with the user meets authentication criteria, the first device provides credentials associated with the user to the second device. In accordance with a determination that the detected biometric information associated with the user does not meet the authentication criteria, the first device forgoes providing the credentials associated with the user to the second device.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to and is a continuation of U.S. patent application Ser. No. 12/732,946, entitled “Man-Machine Interface For Controlling Access To Electronic Devices,” filed Mar. 26, 2010, which is a continuation of U.S. patent application Ser. No. 12/430,702, entitled “Man-Machine Interface For Controlling Access To Electronic Devices,” filed Apr. 27, 2009, now U.S. Pat. No. 7,688,314, which is a continuation of U.S. patent application Ser. No. 12/201,568, entitled “Man-Machine Interface For Controlling Access To Electronic Devices,” filed Aug. 29, 2008, now U.S. Pat. No. 7,525,537, which is a continuation of U.S. patent application Ser. No. 10/997,291, entitled “Man-Machine Interface For Controlling Access To Electronic Devices,” filed Nov. 24, 2004, now U.S. Pat. No. 7,420,546, which is a divisional of U.S. patent application Ser. No. 10/858,290, entitled “Man-Machine Interface For Controlling Access To Electronic Devices,” filed Jun. 1, 2004, now abandoned, which claims priority to U.S. patent application Ser. No. 60/474,750 entitled, “Secure Biometric Identification Devices and Systems for Various Applications,” filed May 30, 2003, each of which is hereby incorporated by reference in their entireties.

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates generally to the field of electronic device user interfaces and authorization techniques, and more specifically to the field of fingerprint imaging sensors and touch screen display apparatuses.

2. Necessity of the Invention

Modem electronic devices have developed a myriad of functionalities and associated user interfaces. Many electronic devices use a display screen, such as a monitor or display apparatus, to provide feedback to the user. Handheld devices, such as the personal digital assistant and the cell phone, have an important user interface constraint—form factor. In both devices, manufacturers desire to minimize the size and weight of the device; as one means to accomplish this, the display is small and buttons are placed close together.

In recent years, manufacturers of many electronic devices have substituted touch screen technology for the traditional display. Touch screens have the same appearance and style of a traditional screen, but have the added ability to determine the location of applied pressure. This allows individuals to use a stylus in a similar manner as a person uses a mouse to point to icons on a monitor—the individual may touch the screen at the location of a particular icon. Software running on the device determines the location of the touch and determines the associated software function, such as opening an address book. Because the additional button control interface can be eliminated, manufacturers can make the display larger and simpler to use.

As the functionality of electronic devices expands, individuals may wish to protect certain data stored within the device. For example, the owner of a personal digital assistant may choose to use his PDA to send and receive private e-mail. If the data is particularly sensitive, a simple password or PIN combination may not be considered adequate security and the individual may desire to use biometric authentication on the device. The most common form of biometric authentication, fingerprint scanning, requires a hardware module that is typically the size of a postage stamp. On a device where size and weight are limited, the addition of this module can be costly.

Digital Fingerprint Capture Technologies

There are three common types of fingerprint capture technologies: optical, capacitive, and ultrasonic. Each of the three technologies combines its associated hardware capture mechanism, which varies from type to type, and typically a software or firmware controller. This controller is often responsible for analyzing the captured image, extracting minutia points, and creating a final template. Minutiae are points that represent all of the unique characteristics of a fingerprint—one example is the location of an intersection of ridges or valleys in the print. A template is typically composed of thirty minutiae and can be used to uniquely identify a fingerprint. This allows the scanner or other storage device to store only the requisite data points without storing the entire image.

Of the three types of fingerprint capture technologies, optical scanners are the oldest and most common, and they are composed of a glass or plastic plate with a light source and a charge coupled device (CCD) beneath. The light source is typically an array of light emitting diodes (LEDs), and the CCD is an array of light-sensitive diodes. When the finger is placed on top of the plate, the LEDs illuminate the finger and each diode of the CCD records the light that touched it, creating an image in which the ridges are dark and the valleys are light. Optical scanners are fairly resistant to temperature fluctuations, and can provide an image quality of approximately 500 dots per inch (dpi). One major concern of this technology is that latent prints—“left over” fingerprints on the plate—can cause a superpositioning effect and create error. Additionally, these types of scanners are susceptible to “gummi bear attacks”, in which a fingerprint is lifted from a glass or other object, placed on a pliable and sticky material, such as a gummi bear, and can provide a false acceptance. One other point of note is that the plate must be quite large; this creates ease of use but may take unavailable real estate on a board.

Capacitive sensors are much newer than optical scanners, and are composed of an array of cells; each cell has two adjacent conductor plates, which are embedded within an insulating layer. The insulating layer is typically a glass plate. When the finger is placed on top of the insulating layer, it creates a subsequent electric field between the finger and the conductor plates, creating capacitance. Because the surface of a finger is a succession of ridges and valleys, the electric field varies over the face of the finger as the distance from the plate to the finger varies. The capacitance or voltage may be determined from the electric field, and is commonly translated into an 8-bit grayscale image with approximately 200 to 300 grid points in both the x-and y-plane. This creates more detailed data than the optical sensor. Capacitive scanners are typically smaller than optical sensors because the cells are composed of semiconductor devices, rather than a CCD unit.

While capacitive scanners are cheaper and smaller than optical sensors, their durability is unknown due to their short time in use, and the small size can make it more difficult for an individual to enroll and authenticate properly. Most fingerprint sensors use direct current (DC) coupling, although a few companies are beginning to use alternating current (AC) coupling to penetrate to the live layer of the skin. Because the capacitive scanner is dependent on the electric field and capacitance between a finger and the glass plate, the scanner cannot be fooled by the “gummi bear attack” as described above; the dielectric constant for the finger is much different from a gummi bear, and so the capacitance will vary significantly.

The most accurate but least common finger-scanning technology is ultrasound imaging. In this type of sensor, two transducers are placed on the x- and y-axes of a plate of glass—one each for receiving and transmitting—for propagating ultrasound waves through a glass plate; when the finger is placed on top of the glass, the finger impedes the waves and the receiving transducer can measure the alteration in wave patterns. This type of scanner is very new and largely untested in a variety of conditions, but initial results show promise for the technology. It combines the large plate size and ease of use of the optical scanners with the ability to pervade dirt and residue on the scanner, an advantage of capacitive scanners.

Touch Screen Technologies

Touch screens are quite similar to the fingerprint scanners described above. They recognize a finger pressure on the screen and typically calculate the center or peak point of the pressure. Current touch screen technologies fall under five different types of technology: analog resistive, capacitive, infrared, acoustic wave, and near field imaging. The analog resistive, capacitive and acoustic wave technologies are the most commonplace due to their clarity and endurance under a variety of conditions. Infrared is very sensitive to a light touch and may be impractical, while near field imaging is very new, suitable for very harsh conditions, and frequently cost-prohibitive. For these reasons only the first three technologies are examined in much detail. Similarly to the fingerprint scanning technology there is typically an associated software or firmware controller to perform requisite data analysis.

The analog resistive technology is composed of a glass plate and a plastic plate stacked over a flat-panel screen or display. Both the glass and plastic plates are coated with a transparent conductive material, such that the conductive material is sandwiched between the two plates. Tiny separator dots keep the two plates from touching under normal conditions, but when pressure is applied to the plastic plate, the dots move and the two surfaces come together to conduct electricity. An electronic controller instantly calculates the x- and y-coordinates, allowing resistive touch screen technologies to have very high precision and resolution. This also allows an individual to have relative freedom when selecting an object as a stylus; the individual may use a pen, finger, or other convenient utility.

Capacitive coupled technologies require the use of a conductive stylus—this may be a finger, but not a gloved hand because the cloth will prevent the conduction of charge. Capacitive technologies use a flat-panel display with a single glass plate resting on top. The glass plate is covered in a transparent metal oxide on the exterior surface; when the finger or alternate stylus comes into contact with the conductive surface; capacitive coupling occurs at the point of contact and draws electrical current. The controller registers the change in current and the x- and y-coordinates can be determined. As mentioned above, because the technology requires use of a conductive stylus, non-conductive surfaces will prevent the change in electrical current and will not have any effect on the touch screen. Furthermore, the exposed glass surface in this technology makes it susceptible to scratches and can inhibit correct operation of the screen.

Acoustic wave touch screens are more complicated than the capacitive and resistive technologies. There are two types of acoustic wave technologies: guided acoustic wave (GAW) and surface acoustic wave (SAW). Both use a single plate of glass placed on top of a flat-panel display, with a similar transducer arrangement as described above for the ultrasound imaging. GAW screens transmit a wave through the glass panel (using the glass as a waveguide), while SAW screens transmit the wave on the surface of the glass; in both technologies, transducers detect a dampening of the wave that occurs when pressure is applied to the glass, which is translated into x- and y-coordinates. Similarly to the capacitive coupled screens, SAW screens have stylus limitations; the stylus must be soft and able to absorb energy in order to dampen the wave, and are generally only practical in instances where the stylus is a finger. These types of touch screens also have the glass surface limitation described above.

3. Description of the Related Art

A multitude of single-purpose display apparatuses, fingerprint sensors and touch screens are available commercially. Furthermore, several companies offer commercial products that embed fingerprint-scanning hardware within display apparatus technology. One such example, Ethentica and Philips FDS' (a wholly owned subsidiary of Philips Corporation) joint venture TactileSense™ finger scanning hardware, comprises a transparent optical sensor that can be embedded into a pane of glass. The TactileSense optical sensor comprises a unique TactileSense polymer, a silicon glass camera/CCD, and a control ASIC. The TactileSense polymer is placed on top of the silicon camera, which is embedded within glass to provide hardness and durability. The TactileSense polymer is the heart of the sensor, comprising five layers: insulating, black-coat, transparent conductive, light-emitting phosphor, and base. The insulating and black-coat layers enhance the performance of the sensor by preventing liquid or other particles from entering the sensor, and by preventing sunlight from entering the sensor. The chief layers are the transparent conductive and light-emitting phosphor layers, which serve to supply current to the polymer and to illuminate the fingerprint. When a finger is placed on the TactileSense polymer, the polymer illuminates the fingerprint and creates an image. The silicon camera detects the illumination, and the ASIC converts it to digital format for processing.

U.S. Pat. No. 6,327,376 to Harkin describes a fingerprint sensor comprised of an array of sensing elements. The sensing elements use both capacitive and optical techniques to generate the image; the device is constructed using a transparent conductive material for the electrodes contained within. However, despite the inclusion of the sensor within a display apparatus, there is little discussion of using the display as a touch screen or user navigation interface.

U.S. Pat. No. 6,501,846 to Dickinson et al. discloses a method and system for computer access and cursor control using a relief object image generator. The relief object image generator is capable of capturing a 2-D image based on the 3-D relief of an object, such as a finger. The apparatus of Dickinson's invention can be used to simultaneously authenticate an individual's fingerprint, and move a cursor on a screen or perform other control-related functions related to the movement of the individual's finger. This application is targeted primarily at replacing mice, function keys, and other control mechanisms on devices where space is limited. However, Dickinson does not address use of biometric recognition incorporated with touch screen user navigation.

DigitalPersona also offers fingerprint-scanning hardware that is transparent and can be placed over display apparatuses, marketed as U.are.U Crystal™. This hardware is also comprised of an optical sensor that uses completely transparent materials. It is ultra-thin, enabling it to be placed in mobile or other electronic devices where real estate is a significant concern. Again, however, this product does not demonstrate any of the touch screen properties as exhibited in the current invention.

BRIEF SUMMARY OF THE INVENTION

The invention disclosed herein describes a man-machine interface device for controlling access to electronic devices. The man-machine interface device comprises an electronic display apparatus that is capable of presenting graphic text, images, icons, and other data typically shown on a screen, while further including a transparent finger touch sensor region that is seated above the display apparatus. This finger touch sensor region is responsible for determining the presence and absence of a finger, and is further responsible for generating fingerprint images when a finger is detected. The man-machine interface device also includes a controller unit that is coupled to the display apparatus, the finger touch sensor region, and at least one electronic device. The controller unit is capable of controlling data flow between the display apparatus, the finger touch sensor region and the electronic device, and for calculating finger touch locations based on a fingerprint image generated by the transparent finger touch sensor region. It can receive text from the electronic device, which is intended for presentation on the display apparatus, or conversely send a fingerprint image to the electronic device, among other functions.

The method of the invention describes a process for authenticating individuals and verifying their security privileges to access sensitive data, based on a finger-touch selection of an icon presented on the display apparatus of the man-machine interface device.

BRIEF DESCRIPTION OF DRAWINGS Master Reference Numeral List

FIG. 1: Apparatus

100 Apparatus

101 Finger touch sensor region

102 Display apparatus

103 Controller

FIG. 2: Apparatus, based on optical sensor technology

102 Display apparatus

201 Charge coupled device

202 Glass or plastic plate

203 Light source

FIG. 3: Apparatus, based on capacitive sensor technology

102 Display apparatus

302 Glass plate, coated with transparent metal oxide

303 Electric field

FIG. 4: Apparatus, based on ultrasonic/acoustic wave technology

102 Display apparatus

402 Glass plate

403 Ultrasonic/acoustic wave generator

FIG. 5: Authenticating to the apparatus

501 Human thumb

502 E-mail icon

503 PDA

FIG. 6: Method for authenticating

601 Is there a finger present?

602 Create a fingerprint image

603 Calculate the location of the finger touch

604 Is there an icon at the finger touch location?

605 Is there a function associated with the icon?

606 Does the function require fingerprint authentication?

607 Does the fingerprint match a stored fingerprint?

608 Determine access rights for matched fingerprint

609 Allow user access to function?

610 Authorize user access to function

611 Quit

FIG. 1 is a schematic view of the apparatus of the invention.

FIG. 2 is a schematic view of the apparatus of the invention, when optical sensing technology is used.

FIG. 3 is a schematic view of the apparatus of the invention, when capacitive sensing technology is used.

FIG. 4 is a schematic view of the apparatus of the invention, when ultrasonic/acoustic wave technology is used.

FIG. 5 is a schematic view of the apparatus of the invention being used to authenticate to a PDA.

FIG. 6 is a flow chart of the method of the invention.

FIG. 7 is a schematic view of components of a BPID.

FIG. 8 is an exemplary external view of the BPID.

FIG. 9 is a schematic view of a BPID Interaction with System.

DETAILED DESCRIPTION OF THE INVENTION

The apparatus of the invention is a primary man-machine interface device that incorporates biometric authentication into a touch-sensitive display. Juxtaposing these two technologies provides a simple user interface, and additionally, an economy of space for handheld or portable devices that require ease-of-use along with biometric authentication; devices can use the functionality of a display, control keys or buttons, and a fingerprint sensor, by replacing them with the man-machine interface device of this invention.

Fingerprint scanning typically requires more detail, precision, and data analysis then touch screen technology. The most common use of fingerprint scanning is comparison between a new, “live” fingerprint, and an older stored fingerprint, where the comparison is typically between minutiae points calculated for both fingerprints. This can be used to verify or identify an individual who has already been entered into a system. If the fingerprint scanner fails to accurately analyze a print, the scanner may provide a false acceptance—reporting that the new fingerprint is the same as the old, when they actually are not—or false rejection—reporting that the two fingerprints are different when they are not. However, if a touch screen registers a touch location incorrectly, it is only a minor inconvenience to recalibrate the touch screen and renavigate the user interface.

The primary embodiment of the man-machine interface device 100 incorporates a transparent finger touch sensor region 101, an electronic display apparatus 102, and a controller 103, as seen in FIG. 1. The finger touch sensor region 101 is layered on top of the display apparatus 102, and is capable of determining the presence and absence of finger touches. It can additionally generate fingerprint images, which are transmitted to, and used by, the controller 103. The display apparatus 102 must be capable of presenting graphic data, text, images, icons and other information, and may range from a cathode ray tube display, such as a television or monitor, to a liquid crystal display. The controller 103 is coupled to the finger touch sensor region 101 and the display apparatus 102, as well as peripheral electronic devices, such as a PDA.

One alternate embodiment of the apparatus 100 is based on optical fingerprint scanner technology, and can be seen in FIG. 2. A plate 202 is placed over the display apparatus 102, with a light source 203 and a CCD 201 between the two. The light source 203, the plate 202, and the CCD 201 must all be transparent, or items would not be viewable on the display apparatus 102.

FIG. 3 shows an alternate embodiment of the present invention, which is based on a capacitive fingerprint sensor and a capacitive touch screen. A glass plate 302 coated with transparent metal oxide is placed on top of the display apparatus 102. When the finger is placed on the glass plate of the finger touch sensor region 101, an electric field 303 is created and the finger touch location and fingerprint can be determined.

Another alternate embodiment of the apparatus 100 is based on the ultrasonic imaging fingerprint sensor and the acoustic wave touch screen. This can be seen in FIG. 4. Again a glass panel 402 is placed on the display apparatus 102. Ultrasonic waves 405 are propagated by means of an ultrasonic or acoustic wave generator 403 either through or on top of the glass panel 402, using it as a wave guide. When a finger is placed on the finger touch sensor region 101 it interferes with the traveling wave, generating the fingerprint or touch location. Because the wave guide is based on the principle of total internal reflection, the angle of incidence of the propagating wave 405 must be such that it doesn't interfere with the optical properties of the display apparatus 102 behind it. This is affected by the thickness of the glass panel 402 and the frequency of the propagating wave 405.

Regardless of the embodiment of the apparatus 100, the controller 103 must be capable of receiving data from a peripherally-connected electronic device and displaying it on the display apparatus 102. The controller 103 must also be able to receive fingerprint images from the finger touch sensor region 101, and to calculate the location of finger touch events from these images. Additionally, the controller 103 is responsible for calculating minutiae points of a fingerprint associated with a finger touch on the finger touch sensor region 101. Any calculated data, such as a location or minutiae, can be transmitted from the controller 103 back to the peripheral device. If required, the controller 103 may be capable of storing fingerprint minutiae points, and/or comparing fingerprint minutiae points. In one preferred embodiment of the invention, the location can be determined by extrapolating the center point of the finger touch on the finger touch sensor region 101. However, the algorithmic choice does not fa within the scope of this invention; the location can be determined by any appropriate method.

The peripherally-connected electronic device referred to above is the device using the man-machine interface device. For example, if the man-machine interface device were to be used as a replacement for the touch screen and buttons on a personal digital assistant (PDA), the PDA would be considered the peripherally-connected electronic device. It is responsible for sending data to the controller 103 for display on the display apparatus 102, and for requesting and receiving finger touch data. Additionally, the peripherally-connected electronic device is responsible for maintaining the association between icons or text pictured on the display apparatus 102, and accessing rights for said functions.

The method of the invention provides fingerprint authentication for functions represented by an icon on a display. In the primary embodiment, the method is employed while using the man-machine interface device 100 installed in a PDA, but can be used with other suitable technology; examples explained herein will employ both. The method is intended to replace traditional user interface and authentication methods. For example, the PDA may receive e-mail, which the intended recipient wishes to keep secure. The PDA stores a registered fingerprint for the intended recipient that is associated with the security privileges of the e-mail program. Additionally, the PDA displays an icon on the display apparatus 102 that accesses the e-mail program on selection.

FIG. 5 shows an individual 501 using the man-machine interface device 100 of the present invention, to touch the finger touch sensor region 101 over the icon 502 displayed on the display apparatus 102 of the PDA 503—in this example, the e-mail icon. As seen in the flow chart of FIG. 6, the finger touch sensor region 101 detects the presence of the fi (step 601), and generates an image of the fingerprint (step 602), which is passed to the controller 103. The controller 103 calculates the finger touch location (step 603), and determines if there is an icon displayed on the display apparatus 102 at that location (step 604). If an icon exists, the PDA determines which function is associated with the icon (step 605) and if the function requires fingerprint authentication (step 606).

If the function does not require authentication, the PDA directly authorizes access to the function. However, in this example with e-mail, the function does require fingerprint authentication. The PDA examines stored fingerprints, verifying the new image against the stored images (step 607), until a match is found. If a match is found, the PDA determines the security privileges associated with the fingerprint (step 608) and determines if the e-mail function is among these privileges (step 609). If not, the method terminates (step 611); if it is, the PDA allows access to the e-mail function (step 610), and then terminates the authentication method (step 611).

FIGS. 7-9 illustrate a secure, electronic resource management and access control apparatus, method and system. This technique generally relates to the field of electronic asset and resource control and/or access, and more specifically to access based on biometric characteristics of authorized users. For example, the technique described with respect to FIGS. 7-9 relate to an apparatus, method and system by which institutions and application owners that require controlling and/or limiting access to restricted resources can definitively identify individuals requesting admission thereto. The primary apparatus of this invention augments and/or replaces a conventional electronic access key with a unique, privacy- and security-oriented, wireless- and biometrically-enabled personal authentication device equipped with encryption technology adapted for interfacing to custom and/or existing electronic access systems. The method of the invention establishes a procedural basis for creating and deploying an electronic access network wherein preauthorized users are provided with the apparatus of the invention. The system of the invention comprises the issued apparatuses of the invention, predetermined and/or preauthorized access rights and rules, and access points by which the apparatuses communicate with an authority providing said access rights and rules.

Necessity of this invention exists at least as follows. According to the National Burglar and Fire Alarm Association (NBFAA), electronic locks were developed more than 50 years ago, and are currently used to secure a variety of locations including commercial offices, hotel rooms, and bank vaults. There are two components of electronic locks—a mechanical (physical) lock and an electronic system to control the mechanical lock. In the most general scenario, electronic locks work by receiving an input credential, processing the credential, and then opening or closing an electronic relay depending on credential verification. This relay, in turn, releases or closes the mechanical lock. Many electronic locks also include a real-time clock and auditing methods.

Given the range of applications for electronic entry systems, there are a wide variety of attributes in each commercial electronic locking system: different user interfaces for receiving credentials, on/off-line methods for processing credentials, and on/off-line methods for programming the locks.

There are four common user interfaces in these systems: keypads, proximity (RF) cards or key fobs, magnetic stripe cards and smart cards. All of the user interfaces require some sort of ‘reader’ at the access point (i.e., door). The keypad, similar to an ATM, requires the user to remember a PIN code and type it in by hand. Proximity cards or key fobs are programmed with access codes and only require the user to hold the card a short distance from the reader. This is often the best option for those with disabilities. Magnetic stripe cards have three tracks that can be encoded with access codes, and require the user to slide the card through a reader. Smart cards have an embedded computer chip that can store several megabytes (MB) of personal information, and generally provide the highest authentication potential. These systems require the user to push the card into a slot in the reader and wait while the reader processes the credentials. A newer form of user interface uses biometric scanning technology to identify individuals, and often means that a biometric scanner is placed at the entry point. The biometric can range from a fingerprint or handprint to retinal or voice scanning, or possibly a combination of several. Because biometrics are unique to an individual, they are much harder to forge than the types of credentials described above.

The verification of credentials can be performed on- or off-line. In many systems, the electronic component of the lock stores a database of valid users' credentials locally. When a user provides the lock with credentials, electronics in the reader compare the new credentials with the locally stored credentials, and either accept or reject the user. When a new user is added to the system an administrator must travel to each access point and reprogram the lock. This type of system is easy to install, but difficult to maintain in large-scale implementations. Some systems allow the locks to be networked, generally from each access point to a central server in a master-slave relationship. Instead of requiring each lock to store the database of valid users' credentials, the server now stores the database. Many of these systems limit the number of access points on the system; common ranges are from two to 200. Physically, the access point can communicate with the server via its' own Ethernet link, or Ethernet-by-proxy through an IrDA link or through RS-xxx to a networked computer. These on-line verification systems are highly extensible because of the centralized server, although they require more initial configuration.

In most systems that use off-line verification, the lock must be programmed whenever users' credentials change. There are a variety of methods for reprogramming the locks, again on- and off-line. Off-line methods generally depend on the user interface—keypad user interfaces can often be programmed through the keys themselves, which is time-consuming and tedious, while proximity cards often have ‘programming cards’ that an administrator would use to reprogram the database—although many systems include additional programming-only interfaces. Some of the more expensive systems allow the administrator to use a laptop, accompanying software, and a RS-xxx connection to reprogram the lock at each access point.

On-line methods allow the administrator to use a central PC or laptop along with accompanying software to reprogram the entire network of locks at one time.

Current systems that use keypads, proximity (RF) cards or key fobs, magnetic stripe cards or smart cards have a variety of associated problems. First, they cannot verify large quantities of unique information; a keypad requires only a PIN code that can easily be compromised. Proximity cards similarly use a numeric access code that can be discovered with some ingenuity. Furthermore, the information in all of the interfaces described above can be stolen from the true possessor and used without repercussion. A PIN code will open a lock just as easily for one person as another, as will a proximity card. There is no way to associate the information with a particular user at any given moment. The second major problem is that these systems are not accessible to all individuals. Those with physical disabilities may not be able to reach a magnetic stripe reader or may not be able to punch in a PIN number. Current biometric implementations require the user to contribute a biometric template that can be used for future comparisons. However, because the biometric is unique to each individual, it cannot be changed in the event of a compromise.

What is needed is a device, method and system that indisputably identifies persons of all physical capabilities wishing to access protected resources, furthermore protecting their privacy and credentials from possible compromisation.

Following are the description of the related art in this technology. Clark, in U.S. Pat. No. 4,847,542 describes an electronic garage door access system that comprises a two-button portable, wireless controller and a transceiver unit that operates the garage door upon receipt of appropriate signals from the controller. One button on the wireless controller sends a request to open the door, while the other button toggles between a secure and non-secure state; in the secure state, requests to open the door are ignored. This invention additionally adds a loading capability to the transceiver unit, in which a remote load is activated upon signaling from the wireless controller. When the system is in the secure mode, and the door is already open, depression of the secure button will toggle the remote load. For example, pushing the secure button may turn on a light within the house or garage. Though the system discusses use of security measures, the security is minimal and cannot guarantee the identity of those accessing the garage.

Russell, in U.S. Pat. Nos. 5,481,265, 5,729,220, and 6,201,484 describes a ‘secure access transceiver.’ The invention illustrates a handheld electronic device that incorporates biometric and wireless technology with a button-oriented user interface. The device is used to provide authentication of an individual without compromising her personal privacy. International Application No. PCT/US00/42323 further extends this secure access transceiver device to teach a concept of an invention called a Biometric Personal Identification Device (BPID). A BPID is a handheld electronic device that provides multi-factor authentication and allows its registered and/or enrolled owner to control the release and dissemination of stored information such as financial accounts, medical records, passwords, personal identification numbers, and other sensitive data and information. The device has tamper-resistant packaging with form factors ranging from credit card size to key fobs, a fingerprint scanner—although those familiar in the art will recognize that this can be interchanged with another biometric technology, and these are covered in Russell's patent application—liquid crystal display (LCD) and buttons for user interaction, a wireless interface for communication with other electronic devices, and a self-generated public key/private key pair for digitally signing data. The device has been developed so that the fingerprint cannot be physically or electronically removed or transmitted from the device, and information cannot be physically or electronically removed or transmitted from the device unless released by the owner of the authorizing fingerprint. All data and processing is performed in secure silicon.

The BPID can store and run multiple applications, allowing an individual to store a variety of personal information, although it is important to note that the applications are fully independent and cannot affect other applications' data. Many of these applications require the owner to transmit information to a terminal; for example, the BPID may wirelessly transmit financial account information to a cash register during an in-store purchase. In order to make this transaction secure, the BPID uses its private key to create a digital signature on all information that the individual chooses to release. Recipients of information from the BPID use the encrypted digital signature and a database of public keys to confirm that the information came from a specific device and that the information has not been altered. If it is desired by the driver license verification application and/or other independent applications, the BPID can encrypt all transmitted data and information so that only the intended recipient can decode the information. The BPID places the control of personal and private information in the hands of the individual that owns the information and the organization that issues the device and/or creates device applications.

Despite the magnitude of these inventions, there is nothing in the related art that provides definitive personal identification while simultaneously protecting the privacy of individuals wishing to access protected resources.

Therefore, the objects of the invention as described with respect to FIGS. 7-9 are as follows. It is a primary object of the present invention, to provide an apparatus, method and system, which taken together, provide means for absolute personal identity authentication for individuals wishing to physically access protected resources and assets, while simultaneously guaranteeing individuals' power to personally authorize dissemination of personal identity credentials.

Another primary object of the present invention is to enable controlling institutions to audit the activity of individuals attempting to access the protected resources.

Another object of the present invention is to match physical persons to discrete devices such that only the authorized individual is associated with a device.

For example, the apparatus of the invention uses a BPID to replace the user interface to electronic locks. The credentials supplied by key fobs, magnetic stripe cards and smart cards cannot definitively identify an individual as discussed above. However, the BPID indisputably identifies whether the possessor of the device is the registered owner, and also guarantees that the credentials an individual supplies to receive a BPID are authentic, valid and correct. These two attributes combine to provide guaranteed personal authentication.

Furthermore, because the BPID is equipped with a short-range wireless technology, the invention does not require an individual to swipe a card through a reader, enter a PIN with small buttons, or perform any other potentially difficult motion for those with physical disabilities. The BPID communicates with portable, wireless transceivers that are strategically placed at the access point to the controlled resources. The transceivers may have local databases that store individuals' credentials, or may use on-line verification as described above. Because the BPID can communicate wirelessly, the transceiver can be placed in a position allowing for better aesthetics or more convenient electrical wiring and networking, and further allows those with physical disabilities to be in any orientation or position within range and still communicate with the lock.

Briefly, FIG. 7 illustrates a view of different components of the BPID. FIG. 8 illustrates an external view of the BPID. FIG. 9 illustrates the BPID Interaction with System. Specifically, FIG. 9 shows a simple illustration of the use of the invention. The user initiates the process for accessing a protected resource (Step 1). The access point then communicates a request to the BRED for the user to authenticate himself (Step 2). After successful authentication, the BPID notifies the access point that the device has successfully authenticated its owner (Step 3). The access point requests transmission of credentials from the device (Step 4). The device timestamps and digitally signs the credentials and transmits them to the access point (Step 5). The access point communicates with a database to determine if the individual has access rights (Step 6). If the rights are granted (Step 7), the access point transmits an authorization to the device (Step 8).

Institutions possess assets that may require restricted access or auditing of individuals' access to said assets. For example, companies that perform contracting work for the government often work with highly sensitive information. For this reason, these companies perform background investigations on employees that will potentially work with the restricted data, require employees to provide proof of authorization to access the data, and require full auditing of employees' access.

As described in the systems above, proof of authorization is often a magnetic stripe card or other type of identification card or PIN number, but can also include biometric authentication. However, all of these systems have associated problems ranging from preventing those with disabilities from use to reduction of personal privacy. The BPID, when enrolled correctly and issued to every individual requiring access to restricted assets, serves as the perfect combination of secure authentication and privacy. The controlling institution can require less personal information from an individual than in the schemes above, particularly the biometric schemes, because all of the credentials are signed with a private key (generated within the BPID) before transmission. Making the process even more secure is that the private key can only he used after authentication of the fingerprint to the device.

The access point describes a microcontroller, short-range radio, and electric lock configuration such that the microcontroller controls radio communications and the state of the electric lock. The preferred embodiment of this invention will use an electric strike for purpose of illustration, although those familiar in the art will recognize that changes in these selections will not significantly alter the system in its' entirety. Specifying a particular microcontroller is unnecessary other than to state that it must have sufficient available input/output pins and computational power to support a radio technology, in addition to sufficient programmable memory to store relevant software.

The electric strike in a general form can either be classified as fail-safe or fail-secure. Fail-safe designs keep the lock unlocked until a threshold supply voltage is applied to the lock, while fail-secure designs keep the lock locked until a threshold supply voltage is applied. This design necessitates a fail-secure electric strike due to the security implications of the requirements. The electric strike is controlled essentially by a solenoid; there are two wires that leave the electric strike which are connected to power and ground of a power source. When significant voltage is applied to the power wire, the solenoid creates magnetic and electric fields such that the lock is forced to open.

In the preferred embodiment of this invention, one wire of the electric strike is directly or indirectly connected—as necessitated by circuit constraints—to an output or input/output pin of the microcontroller. Due to the analog nature of the hardware, requisite currents may force placement of amplifier circuits, triggers, and electric isolators between the output of the microcontroller pin and the lock wire, but should not impact the logical result. The second wire from the electric strike is connected to ground, and may require additional elements that are determined by the physical properties of all hardware involved.

The microcontroller has software and/or firmware to control when the pin connected to the lock is activated or deactivated. This software is directly linked to the software that authorizes an individual. The microcontroller defaults the pin to a logic low—causing the lock to remain securely closed—but toggles the pin to a logic ‘high’ if the authorization software approves the individual, in turn causing the lock to release.

When the BPID comes within range of a door lock enabled as described above, a screen will flash up on the BPID's LCD prompting the user to choose whether or not to unlock the door. If the user chooses to unlock the door, he must authenticate himself to the BPID. Upon successful authentication, the BPID signs the individual's credentials with the user's private key, and encrypt with either a pre-negotiated session or symmetric key, or with the transceiver/system's public key. The signature proves that the authorized user sent the message, while the subsequent encryption guarantees that unauthorized recipients cannot read the message and later use the credentials for their own benefit. After these cryptographic processes, the BPID transmits the credentials to the door lock's transceiver.

Upon receipt of the credentials, the transceiver relays the message to the microcontroller. Depending on the verification method of the system, whether it be on-line or off-line processing, the microcontroller forwards the credentials as necessary. If the system uses on-line processing, the microcontroller may use an Ethernet interface to send the data to a central server, while in off-line processing the microcontroller may access a database stored in local memory. Additionally, depending on the configuration of the system, the microcontroller may perform preprocessing on the message including verification of the signature and decryption of the message, although a remote central server similarly may perform this function. If the credentials verify correctly, the microcontroller will then toggle the lock to open.

For example, the various features and characteristics of the BPID interactive system may include:

1. A privacy and security oriented autonomous electronic resource access personal identification apparatus means for distributed and remote self-verification and self-verification display by at least one enrolled authorized individual.

2. The privacy and security oriented electronic resource access personal identification apparatus as recited in 1, further comprising biometric means for self-verification.

3. The privacy and security oriented resource access personal identification apparatus as recited in 2, wherein said biometric means comprise human fingerprints.

4. The privacy and security oriented resource access personal identification apparatus as recited in 2, wherein said biometric means comprise human handprints.

5. The privacy and security oriented resource access personal identification apparatus as recited in 2, wherein said biometric means comprise human voice.

6. The privacy and security oriented resource access personal identification apparatus as recited in 2, wherein said biometric means comprise human iris patterns.

7. The privacy and security oriented resource access personal identification apparatus as recited in 2, wherein said biometric means comprise human facial patterns.

8. The privacy and security oriented resource access personal identification apparatus as recited in 2, wherein said biometric means comprise human retinal patterns.

9. The privacy and security oriented resource access personal identification apparatus as recited in 2, wherein said biometric means comprise human heartbeat patterns.

10. The privacy and security oriented resource access personal identification apparatus as recited in 2, wherein said biometric means comprise human DNA patterns.

11. The privacy and security oriented resource access personal identification apparatus as recited in 2, wherein said biometric means are at least one of a digit-print, a handprint, a voice input, retinal data, iris data, facial data, DNA data, and heartbeat data.

12. A method for conducting private and secure facility access identification verification comprising:

-   -   a. requesting to initiate an access sequence between the access         point of the secured facility and any of the personal         identification apparatuses as recited in 1-11,     -   b. prompting the individual to authenticate himself to said         personal identification apparatus,     -   c. transmitting requisite personal identity credentials to said         access point upon successful verification,     -   d. verifying the received personal identity credentials within         said access point or within a remotely connected database of         authorizations,     -   e. signaling the authorization or denial of the individual         requesting access from the database of authorizations to the         access point physical mechanism,     -   f. notifying the user of the authorization or denial, and     -   g. permitting or restricting access accordingly.

13. A privacy and security oriented electronic resource access personal identification credential verification system for conducting private and secure facility access identification verification, comprising at least one of the autonomous electronic facility access personal identification apparatuses as recited in any of 1-11, an enrollment subsystem for initially enrolling, storing, comparing, matching, verifying and authenticating a plurality of authorized individuals, authorization rules, and at least one authorized user preauthorized to access said electronic resource access identification apparatus and preauthorized and allowed to access a restricted resource.

While the description above refers to particular embodiments of the present invention, it will be understood that many modifications may be made without departing from the spirit thereof. The accompanying claims are intended to cover such modifications as would fall within the true scope and spirit of the present invention. 

1. (canceled)
 2. A non-transitory computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a first electronic device with a display and one or more biometric sensors, cause the first device to: while the first device is proximate to a second device, request user authentication using the one or more biometric sensors; after requesting the user authentication, detect biometric information associated with the user with the one or more biometric sensors; in response to detecting the biometric information associated with the user: in accordance with a determination that the detected biometric information associated with the user meets authentication criteria, provide credentials associated with the user to the second device; and in accordance with a determination that the detected biometric information associated with the user does not meet the authentication criteria, forgo providing the credentials associated with the user to the second device.
 3. The medium of claim 2, wherein requesting the user authentication comprises displaying an authentication user interface on the display in response to detecting that the first device is within range of the second device.
 4. The medium of claim 2, wherein the credentials associated with the user are encrypted prior to being transmitted to the second device.
 5. The medium of claim 2, wherein the credentials associated with the user are distinct from the biometric information of the user.
 6. The medium of claim 2, wherein the second device is in communication with a remote server that is physically remote from the first device and the second device, and the second device communicates with the remote server to verify the credentials associated with the user in order to complete an authentication transaction associated with the credentials transmitted to the second device.
 7. The medium of claim 6, wherein the authentication transaction is not completed until the credentials associated with the user are verified by the remote server.
 8. The medium of claim 2, wherein the instructions, when executed, further cause the first device to: after providing the credentials associated with the user to the second device, in accordance with the determination that the detected biometric information associated with the user meets the authentication criteria: receive a reply from the second device: in response to receiving the reply: in accordance with a determination that the reply indicates that the credentials associated with the user are verified, complete an authentication transaction, and in accordance with a determination that the reply indicates that the credentials associated with the user are not verified, halt the authentication transaction.
 9. The medium of claim 2, wherein the one or more biometric sensors comprise a fingerprint sensor, and the biometric information associated with the user comprises a fingerprint of the user.
 10. The medium of claim 9, wherein determining whether the biometric information associated with the user meets authentication criteria comprises: comparing the fingerprint of the user to a database of fingerprints associated with an authentication transaction requested by the user; and determining that the biometric information associated with the user meets the authentication criteria if a match is found in the database, and determining that the biometric information associated with the user does not meet the authentication criteria, if a match is not found in the database.
 11. The medium of claim 2, wherein the first device communicates with the second device through a wireless communication medium.
 12. A method, comprising: at a first electronic device with a display and one or more biometric sensors: while the first electronic device is proximate to a second electronic device, requesting user authentication using the one or more biometric sensors; after requesting the user authentication, detecting biometric information associated with the user with the one or more biometric sensors; in response to detecting the biometric information associated with the user: in accordance with a determination that the detected biometric information associated with the user meets authentication criteria, providing credentials associated with the user to the second device; and in accordance with a determination that the detected biometric information associated with the user does not meet the authentication criteria, forgoing providing the credentials associated with the user to the second device.
 13. The method of claim 12, wherein requesting the user authentication comprises displaying an authentication user interface on the display in response to detecting that the first device is within range of the second device.
 14. The method of claim 12, wherein the credentials associated with the user are encrypted prior to being transmitted to the second device.
 15. The method of claim 12, wherein the credentials associated with the user are distinct from the biometric information of the user.
 16. The method of claim 12, wherein the second device is in communication with a remote server that is physically remote from the first device and the second device, and the second device communicates with the remote server to verify the credentials associated with the user in order to complete an authentication transaction associated with the credentials transmitted to the second device.
 17. The method of claim 16, wherein the authentication transaction is not completed until the credentials associated with the user are verified by the remote server.
 18. The method of claim 12, further comprising: after providing the credentials associated with the user to the second device, in accordance with the determination that the detected biometric information associated with the user meets the authentication criteria: receiving a reply from the second device: in response to receiving the reply: in accordance with a determination that the reply indicates that the credentials associated with the user are verified, completing an authentication transaction, and in accordance with a determination that the reply indicates that the credentials associated with the user are not verified, halting the authentication transaction.
 19. The method of claim 12, wherein the one or more biometric sensors comprise a fingerprint sensor, and the biometric information associated with the user comprises a fingerprint of the user.
 20. The method of claim 19, wherein determining whether the biometric information associated with the user meets authentication criteria comprises: comparing the fingerprint of the user to a database of fingerprints associated with an authentication transaction requested by the user; and determining that the biometric information associated with the user meets the authentication criteria if a match is found in the database, and determining that the biometric information associated with the user does not meet the authentication criteria, if a match is not found in the database.
 21. The method of claim 12, wherein the first device communicates with the second device through a wireless communication medium.
 22. A first electronic device, comprising: a display; one or more processors; memory; and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions, which when executed by the one or more processors, cause the first device to: while the first device is proximate to a second device, request user authentication using the one or more biometric sensors; after requesting the user authentication, detect biometric information associated with the user with the one or more biometric sensors; in response to detecting the biometric information associated with the user: in accordance with a determination that the detected biometric information associated with the user meets authentication criteria, provide credentials associated with the user to the second device; and in accordance with a determination that the detected biometric information associated with the user does not meet the authentication criteria, forgo providing the credentials associated with the user to the second device.
 23. The device of claim 22, wherein requesting the user authentication comprises displaying an authentication user interface on the display in response to detecting that the first device is within range of the second device.
 24. The device of claim 22, wherein the credentials associated with the user are encrypted prior to being transmitted to the second device.
 25. The device of claim 22, wherein the credentials associated with the user are distinct from the biometric information of the user.
 26. The device of claim 22, wherein the second device is in communication with a remote server that is physically remote from the first device and the second device, and the second device communicates with the remote server to verify the credentials associated with the user in order to complete an authentication transaction associated with the credentials transmitted to the second device.
 27. The device of claim 26, wherein the authentication transaction is not completed until the credentials associated with the user are verified by the remote server.
 28. The device of claim 22, wherein the instructions, when executed by the one or more processors, further cause the first device to: after providing the credentials associated with the user to the second device, in accordance with the determination that the detected biometric information associated with the user meets the authentication criteria: receive a reply from the second device: in response to receiving the reply: in accordance with a determination that the reply indicates that the credentials associated with the user are verified, complete an authentication transaction, and in accordance with a determination that the reply indicates that the credentials associated with the user are not verified, halt the authentication transaction.
 29. The device of claim 22, wherein the one or more biometric sensors comprise a fingerprint sensor, and the biometric information associated with the user comprises a fingerprint of the user.
 30. The device of claim 29, wherein determining whether the biometric information associated with the user meets authentication criteria comprises: comparing the fingerprint of the user to a database of fingerprints associated with an authentication transaction requested by the user; and determining that the biometric information associated with the user meets the authentication criteria if a match is found in the database, and determining that the biometric information associated with the user does not meet the authentication criteria, if a match is not found in the database.
 31. The device of claim 22, wherein the first device communicates with the second device through a wireless communication medium. 